http://www.eweek.com/article2/0,3959,882142,00.asp
By Dennis Fisher
February 10, 2003
When the final version of President Bush's cyber-security plan is
released later this month, its success, in large part, will hinge on
the willingness of industry to buy in to the plan's recommendations.
The National Strategy to Secure Cyberspace depends heavily on network
operators and industry groups sharing with the government information
on network attacks, security threats and widespread vulnerabilities.
While similar efforts in the past have failed, some industry insiders
say there is reason to believe that this time may be different.
"The strategy is being accepted within the government," said Pete
Morrison, director of the public sector at security vendor Netegrity
Inc., in Waltham, Mass. "I've seen a new awareness inside the
government, and I think when people see that, they [will be] more
willing to take it seriously and help with information."
The centerpiece of the strategy, draft copies of which were reviewed
by eWeek last week, is a comprehensive cyber-security response system
that relies on contributions from the private sector. The system would
utilize a broad information-sharing program both inside and outside
the federal government, facilitated by a separate office within the
Department of Homeland Security, which the plan also calls for.
The "infrastructure protection program office," as referred to in the
draft, would handle the flow of data between the private sector and
the government. The office would also be responsible for determining
how to store information regarding critical infrastructure protection
that is voluntarily submitted by nongovernment organizations.
The strategy also recommends that the private sector develop a
centralized network operations center "that could operate 24-by-7, to
assess Internet health [and] complement the Department [of Homeland
Security's] centralized capability and the overall National Cyberspace
Security Response System," the draft reads.
This latest draft is very similar to the final document President Bush
approved and signed late last month, according to sources familiar
with the process. However, this final version differs greatly from the
preliminary draft released for comment by the President's Critical
Infrastructure Protection Board in September under the direction of
outgoing PCIPB Chairman Richard Clarke.
That original draft was divided into five sections - covering home
users and small businesses, large enterprises, critical sectors,
national priorities, and global issues. The final version is organized
along five priorities - a national cyberspace security response
system, a national cyberspace security threat and vulnerability
reduction program, a national cyberspace security awareness and
training program, securing governments' cyberspace, and international
cyberspace security cooperation.
And where the original draft was heavy on recommendations and
suggestions, the final version uses much stronger language, in many
cases issuing directives to various government agencies.
Still, the core of the new plan is cooperation and information
sharing - both sensitive subjects for the private sector. Past
information-sharing concepts, not sponsored by the government, have
centered on organizations such as the industry-specific Information
Sharing and Analysis Centers and the FBI's InfraGard. However, these
and other plans have lacked a good definition of the kind of data the
government needs and how it's going to be handled once it's submitted.
As such, security experts say this time around, the government would
do well to make such distinctions.
"Sharing information [on vulnerabilities] reveals nothing that would
make a company look bad in front of its customers," said Stuart
Schechter, a security researcher at Harvard University, in Cambridge,
Mass., and co-author of a paper on the benefits of information
sharing. "Even revealing that you've seen a vulnerability exploited
doesn't reveal that this has resulted in a successful attack. Better
statistics on just how many systems are broken into because systems
aren't patched would be nice to know - but most of us know where these
systems fail. Better numbers on losses from attacks would certainly be
useful."
However, some security experts are pessimistic about the chances for
widespread cooperation.
"History has shown that unless they're forced to, people won't reveal
any information, for obvious reasons," said Avi Rubin, associate
professor of computer science and technical director of the
Information Security Institute at Johns Hopkins University, in
Baltimore. "On the other hand, we still don't have good protective
measures yet. They need to allocate more funding to research. They
should let those of us who know what we're doing do it."
KEY DETAILS OF THE NATIONAL STRATEGY
* Establishment of an infrastructure protection office for data
sharing
* Recommendation that the private sector establish a central network
operations center to gather security data
* Language reserving the government's right to conduct cyber-warfare
operations if attacked online
* Recommendation that software vendors make their products more
secure out of the box
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.